(feeling a tad silly, now that I have discovered I was
not replying to the actual mailing list but to single people.)

OK so I have managed to get both the ldap and hdb databases to coexist, mostly through copying code straight from the ldapglue test in the OpenLDAP build files. The ldif file I use now for my backend is as follows -

I can search dc=companyname,dc=local fine, I see the users in this tree and the Internal OU. However I do not see any of the users from the AD linked to by this database. I know I can ldap search it from the server and get results, so I believe that either I need to construct my search differently or it is an authentication issue. As I read it, I need to use idassert-bind, specifying a user from AD with read access, and that user will be used to search AD.

I have a few questions leading from this - The first is: does anyone know the syntax for idassert-bind as it applies to ldif files to be ldapadded to the RTC? As I read it, if it were slapd.conf I would want -

The second is - am I correct in thinking that, once this is all working, a search with (objectclass=*) on the dc=companyname,dc=local should return all the users in that branch as well as all the users in AD? Or will I need to craft my search differently to deal with the proxy?

The third is also just a confirmation - is idassert-bind meant for what I think it is? Should it contain a user not in the local DSA but in the one I am proxying to? Or have I misread?